Cybersecurity

EU’s New Standard Contractual Clauses Go into Effect This Week

A year ago, the Court of Justice of the European Union invalidated the U.S. Privacy Shield framework as an adequate safeguard under the General Data Protection Regulation (GDPR), which had previously been a popular safeguard mechanism to cover the export of personal data from the EU to the U.S. While the same decision also held that another GDPR-sanctioned cross-border transfer safeguard mechanism – Standard Contractual Clauses (SCCs) – remained valid, the Court took the opportunity to note in its decision that the then-current SCCs may not go far enough to safeguard the rights of European data subjects.

SCCs are pre-approved contractual terms between an EU controller or processor to a non-EU processor or sub-processor. By adopting them into a contractual arrangement where an EU party is transferring personal information to another country, the international transfer is said to have adopted “adequate safeguards” under Article 46 and should avoid running afoul of the GDPR’s restriction on such transfers. The SCCs the Court opined on pre-dated the GDPR, and there has been a push to update them since the GDPR went into effect on May 25, 2018. On June 4, 2021, the European Commission announced it had finally approved new versions … Keep reading

Supreme Court Ruling Limits CFAA Application for “Insider” Authorization Misuse

Does the Computer Fraud and Abuse Act (CFAA) and its harsh penalties apply to employees who exceed their authorized access to computer systems for personal reasons? The Supreme Court has now said no.

The Supreme Court issued a 6-3 decision this week limiting the application of the CFAA against company “insiders” who exceed the scope of their authorization to access company data. The CFAA, generally speaking, provides both civil relief and criminal penalties against individuals who “access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Prior to this decision, there was a circuit split where some courts interpreted “unauthorized access” as including access to data that exceeded a limited scope of authorization provided to an individual, and other courts interpreted “unauthorized access” more narrowly to mean that the CFAA only applied to individuals who had no scope of authorized access.

In Van Buren vs. U.S., police sergeant Nathan Van Buren accessed a law enforcement database through his police-issued laptop to provide license plate information to a third-party for non-law enforcement purposes for money. The transaction was part of a … Keep reading